Speaking to FP Analytics, Peter Micek of Access Now addressed the ways in which cyber mercenaries are playing a role in hybrid warfare and the importance of using multistakeholder inputs to develop new definitions and regulations to hold bad actors accountable. The following transcript has been edited for clarity and length.
Listen to the full Q+A with Peter Micek
FP Analytics (FPA): What makes a “cyber mercenary,” and how are private organizations classified as such, especially under international law?
Peter Micek (PM): The term “mercenary” is pretty well established in international law, notably in the Geneva Conventions. It’s someone who directly takes part in hostilities, who’s specifically recruited to do so, who’s motivated by private gain and is not a national or resident of the state parties involved in the conflict nor a member of the armed forces.
In light of new technologies, the international community needs to look at this framework and see whether it’s fit for the digital age.
I would say that from my perspective as a digital-rights advocate, we are without a meaningful agreed-upon set of binding international principles as to what defines a cyber mercenary and how to treat them.
FPA: In our work, we’ve come across multistakeholder initiatives such as the Cybersecurity Tech Accord and the Global Commission on the Stability of Cyberspace. How do multistakeholder initiatives work to prevent and deter cyber mercenaries, and what can be done to strengthen such frameworks?
PM: Coming from civil society, Access Now often raises the need for robust multistakeholder inputs into policymaking. Because, especially in the internet age, a lot of these powers—the power over access to information and the tools we need to learn, socialize, build our economies, and protect our human rights—are widely distributed. And there’s less and less reason for a state-only or multilateral approach to problems, especially in cyberspace and involving digital technologies. So we are glad to see and take part in these multistakeholder policymaking initiatives that feature deliberations by states, companies, civil society, academics, technologists, and affected communities. We believe that’s generally the best way to make policy in the digital age. The Freedom Online Coalition did great initial work around online security; it is a like-minded coalition of states that have approached a number of different issues around digital policy and done so by putting human rights and human dignity at the center of the proposals and the norms they create. We were also excited by the more civil-society and private-sector response of the Global Commission on the Stability of Cyberspace. We were excited by their work, their membership, because the commission centered the rights of the public to a safe, secure, stable, and open cyberspace where human rights can flourish by design.
FPA: How can existing international laws and frameworks be updated or adapted to the digital age?
PM: Access Now has called for binding international principles that explicitly regulate cyber mercenaries and outline the legal responsibilities of states and private tech companies that procure and use the tools and services of cyber mercenaries in ways that violate international human rights. The cows have left the barn, as we see in the proliferation of off-the-shelf commercial tools that are used to attack all sorts of actors both in and around and beyond the conflict zone.
Over the past 12 years, Access Now has tracked the rise of these small, often private, firms that develop really sophisticated censorship or surveillance technologies and market them often exclusively to governments with full knowledge that they’ll be used to violate human rights against unwitting and innocent actors. These tools—like Pegasus, a notorious spyware product developed by Israel-based NSO Group, and Sandvine’s Deep Packet Inspection censorship tech—are developed and sold across borders without any meaningful oversight or restrictions.
There are real serious jurisdictional hurdles to establishing accountability in courts and halls of justice for the violations that spyware tools enable. These companies are often small- and medium-sized enterprises that can change their names pretty quickly, change their domiciles, change their ownership, find private-equity financing, and very quickly evade any attempts at pinning them down. For this reason, Access Now supports calls by the U.N. High Commissioner for Human Rights and a number of other global experts and governments for binding rules on the targeted surveillance trade. Even as lawyers and advocates collaborate with sophisticated technologists doing the forensic work, we’re coming up short when it comes to holding either private-sector developers or their clients—the states and their intelligence and security services—responsible.
FPA: Can you explain the concept of “derivative sovereign immunity” and how cyber mercenaries have used it to avoid liability?
PM: This harks back to an established principle in law and international relations: the idea of sovereign immunity, which, in practical terms, means you can’t sue a foreign government directly.
In this new space, we have private-sector actors who are directly selling to governments extremely sophisticated and secret technologies without going through proper procurement processes and procedures. In these cases, those private companies are trying to protect their ability to do business at will. In response to lawsuits in the United States, NSO Group put up this claim of so-called “derivative sovereign immunity.”
It is essentially that private entities are behaving like states. They only sell to governments. And their activities are essential to state functions. Therefore, these private companies argue that they deserve the same protections from civil- or national-level lawsuits that states enjoy. However, their fight to protect themselves from the jurisdiction of U.S. courts has failed thus far.
FPA: How can states use tools such as sanctions to deter and punish those that use cyber mercenaries?
PM: State sanctions often intend to advance human rights and democratic values and isolate wrongdoers. But these are traditional tools that, without proper attention, may be counterproductive in the digital age, interfering with human rights or even humanitarian access by restricting access to digital services by communities at risk. Over the past couple of decades, the United States in particular has moved away from these broad comprehensive sanctions and embargoes and begun using smarter, more targeted tools and penalties against individuals and entities. The United States has a growing coordinated set of laws called the Global Magnitsky Act that are specifically intended to combat corruption and human rights abuse by sanctioning those individuals, officials, and governments responsible.
Access Now is looking at ways to better ensure that the authorities and companies responsible for sanctions—both in their development and their implementation—better understand their human rights impacts in the digital age. There should be ways to levy sanctions against the private actors who develop, and the public authorities who use incredibly expensive, sophisticated, and powerful tools in ways that violate human rights and humanitarian law.
The U.S. Department of Commerce maintains a list of entities with whom U.S.-related businesses are restricted heavily from doing business. And a further move by the U.S. government in March ensures that government agencies do not buy the goods and services of commercial spyware developers who are known for contributing to human rights abuse or other activities that threaten the national security of the United States. We really need the private sector to be on board with any potential sanctions against cyber mercenaries and for governments to listen to civil society when told about the potential unintended adverse consequences of certain implementations.
Peter Micek is General Counsel and U.N. Advocacy Manager at Access Now, an international organization that defends and extends the digital rights of people and communities at risk. He also leads the legal team at Access Now. At the U.N., Micek advances international norms and law on digital rights, including on privacy and spyware, censorship and internet shutdowns, and civic space. He is also a lecturer at the Columbia University School of International and Public Affairs and an affiliate of the Harvard University Berkman Klein Center for Internet and Society. In 2010, he published A Genealogy of Home Visits, critiquing surveillance of at-risk communities.